90

I set up a site with Node.js+passport for user authentication.

Now I need to migrate to Golang, and need to do authentication with the user passwords saved in db.

The Node.js encryption code is:

    var bcrypt = require('bcrypt');

    bcrypt.genSalt(10, function(err, salt) {
        if(err) return next(err);

        bcrypt.hash(user.password, salt, function(err, hash) {
            if(err) return next(err);
            user.password = hash;
            next();
        });
    });

How to make the same hashed string as Node.js bcrypt with Golang?

Improve this question

4 Answers 4

Reset to default
165

Using the golang.org/x/crypto/bcrypt package, I believe the equivalent would be:

hashedPassword, err := bcrypt.GenerateFromPassword(password, bcrypt.DefaultCost)

Working example:

package main

import (
    "golang.org/x/crypto/bcrypt"
    "fmt"
)

func main() {
    password := []byte("MyDarkSecret")

    // Hashing the password with the default cost of 10
    hashedPassword, err := bcrypt.GenerateFromPassword(password, bcrypt.DefaultCost)
    if err != nil {
        panic(err)
    }
    fmt.Println(string(hashedPassword))

    // Comparing the password with the hash
    err = bcrypt.CompareHashAndPassword(hashedPassword, password)
    fmt.Println(err) // nil means it is a match
}
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thank you. I use bcrypt.CompareHashAndPassword to compare the password and the string written by node.js in db, and return nil. Originally I thought the generated strings are always the same. Now I understand. Really appreciate.
@user2036213: I have never used bcrypt before either and was a bit surprised that each run resulted in a new hash for the same password. But it still works fine. We learn new things every day :). Happy Go coding!
Erm, that's what the random salt is good for - to make sure that two users with the same password will not have the same (salted) hash. Here's a lengthy but good background article.
@rob74: I see. I missed the fact that the hash produced by bcrypt includes the bcrypt version, cost, salt and cipher, not only the cipher (stackoverflow.com/a/6833165/694331). Thanks for the article!
@majidarif When comparing, the string is hashed as well; it is by design. To create a hash and to compare a hash has the same cost. I'd say it is working as intended :)
|
9

Take a look at the bcrypt package from go.crypto (docs are here).

To install it, use

go get golang.org/x/crypto/bcrypt

A blog entry describing the usage of the bcrypt package can be found here. It's from the guy who wrote the package, so it should work ;)

One difference to the node.js library you are using is that the go package doesn't have an (exported) genSalt function, but it will generate the salt automatically when you call bcrypt.GenerateFromPassword.

Improve this answer

Comments

2

Firstly you need import the bcrypt package

go get golang.org/x/crypto/bcrypt

Then use GenerateFromPassword

bs, err := bcrypt.GenerateFromPassword([]byte(p), bcrypt.MinCost)
    if err != nil {
        http.Error(w, "Internal server error", http.StatusInternalServerError)
        return
    }
Improve this answer

Comments

1

Another way

dataEncrypt, _ := bcrypt.GenerateFromPassword([]byte(yourData), bcrypt.DefaultCost)

the second parameter 'bcrypt' can take multiple values and for compare you can use

error := bcrypt.CompareHashAndPassword([]byte(yourDataEncript), []byte(dataText))

very useful for password use

Improve this answer

1 Comment

Does it automatically create the salt?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.